The SLoad Powershell Threat is Expanding to Italy

Introduction

In the past months CERT-Yoroi observed an emerging attack pattern targeting its constituency. These series of malicious email messages shared common techniques may be likely related to a single threat group starting its operation against the Italian cyber panorama. It is still not clear if these attack attempts may be originated by a well established cyber-crime group modifying its TTP or a completely new one, however CERT-Yoroi is tracking this threat with the internal codename “Sload-ITA” (TH-163) . Other similar operations have also been documented by SANS ICS researchers in the UK on the past May. The malicious campaigns share the same drop schema based on the abuse code-hiding techniques within compressed archives and similar drop-url patterns:

The samples recovered during the response operations have been collected and dissected by the Yoroi-Cybaze ZLAB to unveil details of the malicious implant used by these attackers. The following figure summarizes the steps of the sLoad malware infection.

Figure 1. SLoad infection schema

Technical analysis

The malicious sample analyzed is a compressed zip archive containing two distinct files:

a link pretending to point to a system folder folder, named “invio fattura elettronica.lnk”

a hidden JPEG image “image _20181119_100714_40.jpg”, the file is stored with HA attributes.

Despite its innocent-looking shape, the LNK file extracted from the archive has been weaponized in a similar way to that one adopted by APT29’s during their latest operations, demonstrating this technique is part of several malicious cyber-arsenal. In fact, when the user double-click on the file a batch script spawns the powershell script below:

The PS script searches for any file matching the pattern “documento-aggiornato-novembre-*.zip”: if the file exist, the script extracts a portion of code in its end and subsequently invokes it through “IEX” primitive; we inspected the zip file and recovered this small code section. In the following figure, is possible to see the attended archive content into the pink and yellow selection, the alien code in blue.

Figure 2. Code attached to the Zip Archive

This portion of the file contains a runnable code invoked by the powershell script. This code is able to download other scripts from “firetechnicaladvisor.com” thanks to the abuse of the “bitsadmin.exe” functionality and then stores all these newly downloaded files inside the “%APPDATA%/<UUID>” folder. The following figure shows the folder’s content after the download of the components of the malicious implant:

Figure 3. Components of the malicious implant

The snippet above, instead, shows the code responsible of the download of these parts of malware.

The following figures show how this particular piece of code is invoked by other components of the malicious implant: it’s possible to notice the script is launched with the input parameter (“1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16”), used as cryptographic key to decrypt the content of the “config.ini”: the real payload of malware.

Instead, decrypting the “web.ini” contents reveal the remote addresses of the C2 used by the malicious implant: https://hamofgri.me/images/, https://ljfumm.me/images/

The malicious agent collects information about the victim machine, such as: domain, dns cache, running processes, ip and system architecture. Moreover, it periodically capture screenshots of the current desktop of the victim, searches for the Microsoft Outlook folder and collects information about the presence of “*.ICA“ Citrix files within the user directory. All these information are sent to the command and control destinations. After the submission of the data, it receives further powershell code directly from the attacker. This behavior is characteristic of Trojan/Spyware malware, often used as a bridgehead for the recon of compromised hosts, potentially even during the initial stages of some more complex attacks.

Figure 6. VT score Sload malware component

Conclusion

The recent sLoad attack waves, reported by third partiessecurity firms and governmental CERTs too, represent an important threat for the Italian landscape due to the well designed phishing email themes and the possibly low rate of detection of the techniques used within the malware implant itself.

It’s still not clear if the group behind these attacks may be a completely new actor in the cyber-crime panorama, however a possible initial malicious operations may have been spotted in the wild on May 2018, targeting the UK users, instead the more recent attack campaigns against Italian users seems to have begun on the past October, indicating an expansion of the group’s malicious activities.

CERT-Yoroi is currently tracking the TH-163 operations within the Italian landscape and the ZLAB team is continuously analyzing its artifacts, malware implants and techniques to ensure protection to our constituency.

This site uses cookies necessary for its operation that are exclusively technical. In addition, there are third-party profiling cookies (Google Analytics) whose data will be used to improve the browsing experience and the use of information content and for traffic analysis. The data will not be transferred to third parties. If you want to change the cookie policy, we invite you to click here otherwise, by closing this banner, scrolling this page or by clicking any of its elements you consent to the use of cookies. For more detailed information you can click on the privacy policy